W32.imaut.as is a worm that infected Yahoo! Instant messenger and sending message by using yahoo messenger contact to multiply itself. It affected Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP.
The worm spreads by sending messages to all online Yahoo! Instant Messenger contacts. The text of the message will be one of the following:
* http: //dungcoivb.googlepages.com/FUN
* Olalala, may tinh cua ban da dinh Worm DungCoi...........
The worm create following files when it executes:
*Delete the following files
- C:\PNga.txt
- %Windir%\Help\Other.exe
- %Windir%\inf\Other.exe
- %Windir%\system\Fun.exe
- %System%\config\Win.exe
- %System%\WinSit.exe
- %Windir%\dc.exe
- %Windir%\SVIQ.EXE
- %System%\NWB.dat
- (drive letter):\temp\temp.exe
Removal
- Update virus definition
- Turn off windows system restore
- Run a full scan or deep scan
- Delete / disinfect the infected files
Navigate and delete the registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"dc2k5" = "C:\WINDOWS\SVIQ.EXE"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Fun" = "C:\WINDOWS\system\Fun.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"dc" = "C:\WINDOWS\dc.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"run" = "C:\WINDOWS\system32\config\Win.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe C:\WINDOWS\system32\WinSit.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "C:\WINDOWS\inf\Other.exe"
No comments:
Post a Comment